diff --git a/Documentation/variables/config.md b/Documentation/variables/config.md index 41caa7e032b..4e8cbbc4638 100644 --- a/Documentation/variables/config.md +++ b/Documentation/variables/config.md @@ -20,6 +20,7 @@ This document gives an overview of variables used in all platforms of the Tecton | tectonic_container_images | (internal) Container images to use | map | `` | | tectonic_container_linux_channel | (optional) The Container Linux update channel.

Examples: `stable`, `beta`, `alpha` | string | `stable` | | tectonic_container_linux_version | The Container Linux version to use. Set to `latest` to select the latest available version for the selected update channel.

Examples: `latest`, `1465.6.0` | string | `latest` | +| tectonic_custom_ca_pem_list | (optional) A list of PEM encoded CA files that will be installed in /etc/ssl/certs on etcd, master, and worker nodes. | list | `` | | tectonic_ddns_key_algorithm | (optional) This only applies if you use the modules/dns/ddns module.

Specifies the RFC2136 Dynamic DNS server key algorithm. | string | `` | | tectonic_ddns_key_name | (optional) This only applies if you use the modules/dns/ddns module.

Specifies the RFC2136 Dynamic DNS server key name. | string | `` | | tectonic_ddns_key_secret | (optional) This only applies if you use the modules/dns/ddns module.

Specifies the RFC2136 Dynamic DNS server key secret. | string | `` | diff --git a/config.tf b/config.tf index 300c75f5bb0..b8b0ab56b01 100644 --- a/config.tf +++ b/config.tf @@ -11,7 +11,7 @@ provider "external" { } provider "ignition" { - version = "0.1.0" + version = "1.0.0" } provider "local" { @@ -34,6 +34,14 @@ provider "tls" { version = "1.0.0" } +locals { + // The total amount of public CA certificates present in Tectonic. + // That is all custom CAs + kube CA + etcd CA + ingress CA + // This is a local constant, which needs to be dependency inject because TF cannot handle length() on computed values, + // see https://github.com/hashicorp/terraform/issues/10857#issuecomment-268289775. + tectonic_ca_count = "${length(var.tectonic_custom_ca_pem_list) + 3}" +} + variable "tectonic_config_version" { description = < 0 ? var.tectonic_etcd_count : length(data.google_compute_zones.available.names) == 5 ? 5 : 3}" machine_type = "${var.tectonic_gcp_etcd_gce_type}" managed_zone_name = "${var.tectonic_gcp_ext_google_managedzone_name}" master_subnetwork_name = "${module.network.master_subnetwork_name}" public_ssh_key = "${var.tectonic_gcp_ssh_key}" - tls_ca_crt_pem = "${module.etcd_certs.etcd_ca_crt_pem}" - tls_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" - tls_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" tls_enabled = "${var.tectonic_etcd_tls_enabled}" - tls_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" - tls_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" - tls_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" - tls_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" zone_list = "${data.google_compute_zones.available.names}" } @@ -138,22 +132,27 @@ module "workers" { module "ignition_masters" { source = "../../modules/ignition" + assets_location = "${google_storage_bucket.assets_storage_bucket.name}/${google_storage_bucket_object.tectonic-assets.name}" bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" cluster_name = "${var.tectonic_cluster_name}" container_images = "${var.tectonic_container_images}" etcd_advertise_name_list = "${data.template_file.etcd_hostname_list.*.rendered}" + etcd_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" + etcd_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" etcd_count = "${length(data.template_file.etcd_hostname_list.*.id)}" etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}" + etcd_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" + etcd_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" + etcd_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" + etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" etcd_tls_enabled = "${var.tectonic_etcd_tls_enabled}" - - image_re = "${var.tectonic_image_re}" - kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" - kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" - kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" - kubelet_node_label = "node-role.kubernetes.io/master" - kubelet_node_taints = "node-role.kubernetes.io/master=:NoSchedule" - tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" - assets_location = "${google_storage_bucket.assets_storage_bucket.name}/${google_storage_bucket_object.tectonic-assets.name}" + image_re = "${var.tectonic_image_re}" + kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" + kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" + kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" + kubelet_node_label = "node-role.kubernetes.io/master" + kubelet_node_taints = "node-role.kubernetes.io/master=:NoSchedule" + tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" } module "ignition_workers" { diff --git a/platforms/metal/cl/bootkube-controller.yaml.tmpl b/platforms/metal/cl/bootkube-controller.yaml.tmpl index 68d85b69240..f70a38960ca 100644 --- a/platforms/metal/cl/bootkube-controller.yaml.tmpl +++ b/platforms/metal/cl/bootkube-controller.yaml.tmpl @@ -38,6 +38,11 @@ systemd: - name: bootkube.service enable: false contents: {{.ign_bootkube_service_json}} + - name: update-ca-certificates.service + enable: true + dropins: + - name: 10-alwaysrun.conf + contents: {{.ign_update_ca_certificates_dropin_json}} {{ if eq .exclude_tectonic "0" }} - name: tectonic.path enable: true @@ -69,6 +74,11 @@ storage: mode: 0644 contents: inline: {{.ign_installer_runtime_mappings_json}} + - path: /etc/ssl/certs/custom_ca_certs.pem + filesystem: root + mode: 0400 + contents: + inline: {{.ign_custom_ca_certs_json}} passwd: users: - name: core diff --git a/platforms/metal/cl/bootkube-worker.yaml.tmpl b/platforms/metal/cl/bootkube-worker.yaml.tmpl index 72dd3a4e6e3..846a3117e75 100644 --- a/platforms/metal/cl/bootkube-worker.yaml.tmpl +++ b/platforms/metal/cl/bootkube-worker.yaml.tmpl @@ -27,6 +27,11 @@ systemd: - name: kubelet.service enable: true contents: {{.ign_kubelet_service_json}} + - name: update-ca-certificates.service + enable: true + dropins: + - name: 10-alwaysrun.conf + contents: {{.ign_update_ca_certificates_dropin_json}} storage: files: @@ -51,6 +56,11 @@ storage: mode: 0644 contents: inline: {{.ign_max_user_watches_json}} + - path: /etc/ssl/certs/custom_ca_certs.pem + filesystem: root + mode: 0400 + contents: + inline: {{.ign_custom_ca_certs_json}} passwd: users: - name: core diff --git a/platforms/metal/matchers.tf b/platforms/metal/matchers.tf index d0365bfd69a..76f86f2ca0e 100644 --- a/platforms/metal/matchers.tf +++ b/platforms/metal/matchers.tf @@ -32,10 +32,14 @@ module "ignition_masters" { bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" cluster_name = "${var.tectonic_cluster_name}" container_images = "${var.tectonic_container_images}" + custom_ca_cert_pem_list = "${var.tectonic_custom_ca_pem_list}" etcd_advertise_name_list = "${var.tectonic_metal_controller_domains}" + etcd_ca_cert_pem = "${module.etcd_certs.etcd_ca_crt_pem}" etcd_count = "${length(var.tectonic_metal_controller_names)}" etcd_initial_cluster_list = "${var.tectonic_metal_controller_domains}" image_re = "${var.tectonic_image_re}" + ingress_ca_cert_pem = "${module.ingress_certs.ca_cert_pem}" + kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" @@ -61,32 +65,38 @@ resource "matchbox_group" "controller" { exclude_tectonic = "${var.tectonic_vanilla_k8s}" ssh_authorized_key = "${var.tectonic_ssh_authorized_key}" - ign_bootkube_path_unit_json = "${jsonencode(module.bootkube.systemd_path_unit_rendered)}" - ign_bootkube_service_json = "${jsonencode(module.bootkube.systemd_service_rendered)}" - ign_docker_dropin_json = "${jsonencode(module.ignition_masters.docker_dropin_rendered)}" - ign_etcd_dropin_json = "${jsonencode(module.ignition_masters.etcd_dropin_rendered_list[count.index])}" - ign_installer_kubelet_env_json = "${jsonencode(module.ignition_masters.installer_kubelet_env_rendered)}" - ign_installer_runtime_mappings_json = "${jsonencode(module.ignition_masters.installer_runtime_mappings_rendered)}" - ign_k8s_node_bootstrap_service_json = "${jsonencode(module.ignition_masters.k8s_node_bootstrap_service_rendered)}" - ign_kubelet_service_json = "${jsonencode(module.ignition_masters.kubelet_service_rendered)}" - ign_max_user_watches_json = "${jsonencode(module.ignition_masters.max_user_watches_rendered)}" - ign_tectonic_path_unit_json = "${jsonencode(module.tectonic.systemd_path_unit_rendered)}" - ign_tectonic_service_json = "${jsonencode(module.tectonic.systemd_service_rendered)}" + ign_bootkube_path_unit_json = "${jsonencode(module.bootkube.systemd_path_unit_rendered)}" + ign_bootkube_service_json = "${jsonencode(module.bootkube.systemd_service_rendered)}" + ign_custom_ca_certs_json = "${jsonencode(join("\n", module.ignition_masters.ca_cert_pem_list))}" + ign_docker_dropin_json = "${jsonencode(module.ignition_masters.docker_dropin_rendered)}" + ign_etcd_dropin_json = "${jsonencode(module.ignition_masters.etcd_dropin_rendered_list[count.index])}" + ign_installer_kubelet_env_json = "${jsonencode(module.ignition_masters.installer_kubelet_env_rendered)}" + ign_installer_runtime_mappings_json = "${jsonencode(module.ignition_masters.installer_runtime_mappings_rendered)}" + ign_k8s_node_bootstrap_service_json = "${jsonencode(module.ignition_masters.k8s_node_bootstrap_service_rendered)}" + ign_kubelet_service_json = "${jsonencode(module.ignition_masters.kubelet_service_rendered)}" + ign_max_user_watches_json = "${jsonencode(module.ignition_masters.max_user_watches_rendered)}" + ign_tectonic_path_unit_json = "${jsonencode(module.tectonic.systemd_path_unit_rendered)}" + ign_tectonic_service_json = "${jsonencode(module.tectonic.systemd_service_rendered)}" + ign_update_ca_certificates_dropin_json = "${jsonencode(module.ignition_masters.update_ca_certificates_dropin_rendered)}" } } module "ignition_workers" { source = "../../modules/ignition" - bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" - container_images = "${var.tectonic_container_images}" - image_re = "${var.tectonic_image_re}" - kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" - kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" - kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" - kubelet_node_label = "node-role.kubernetes.io/node" - kubelet_node_taints = "" - tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" + bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" + container_images = "${var.tectonic_container_images}" + custom_ca_cert_pem_list = "${var.tectonic_custom_ca_pem_list}" + etcd_ca_cert_pem = "${module.etcd_certs.etcd_ca_crt_pem}" + image_re = "${var.tectonic_image_re}" + ingress_ca_cert_pem = "${module.ingress_certs.ca_cert_pem}" + kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" + kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" + kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" + kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" + kubelet_node_label = "node-role.kubernetes.io/node" + kubelet_node_taints = "" + tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" } resource "matchbox_group" "worker" { @@ -108,11 +118,13 @@ resource "matchbox_group" "worker" { kubelet_image_tag = "${replace(var.tectonic_container_images["hyperkube"],var.tectonic_image_re,"$2")}" kube_version_image = "${var.tectonic_container_images["kube_version"]}" - ign_docker_dropin_json = "${jsonencode(module.ignition_workers.docker_dropin_rendered)}" - ign_installer_kubelet_env_json = "${jsonencode(module.ignition_workers.installer_kubelet_env_rendered)}" - ign_installer_runtime_mappings_json = "${jsonencode(module.ignition_workers.installer_runtime_mappings_rendered)}" - ign_k8s_node_bootstrap_service_json = "${jsonencode(module.ignition_workers.k8s_node_bootstrap_service_rendered)}" - ign_kubelet_service_json = "${jsonencode(module.ignition_workers.kubelet_service_rendered)}" - ign_max_user_watches_json = "${jsonencode(module.ignition_workers.max_user_watches_rendered)}" + ign_custom_ca_certs_json = "${jsonencode(join("\n", module.ignition_workers.ca_cert_pem_list))}" + ign_docker_dropin_json = "${jsonencode(module.ignition_workers.docker_dropin_rendered)}" + ign_installer_kubelet_env_json = "${jsonencode(module.ignition_workers.installer_kubelet_env_rendered)}" + ign_installer_runtime_mappings_json = "${jsonencode(module.ignition_workers.installer_runtime_mappings_rendered)}" + ign_k8s_node_bootstrap_service_json = "${jsonencode(module.ignition_workers.k8s_node_bootstrap_service_rendered)}" + ign_kubelet_service_json = "${jsonencode(module.ignition_workers.kubelet_service_rendered)}" + ign_max_user_watches_json = "${jsonencode(module.ignition_workers.max_user_watches_rendered)}" + ign_update_ca_certificates_dropin_json = "${jsonencode(module.ignition_workers.update_ca_certificates_dropin_rendered)}" } } diff --git a/platforms/openstack/neutron/main.tf b/platforms/openstack/neutron/main.tf index ecd5078ce07..48bce1ef594 100644 --- a/platforms/openstack/neutron/main.tf +++ b/platforms/openstack/neutron/main.tf @@ -157,17 +157,11 @@ EOF container_image = "${var.tectonic_container_images["etcd"]}" core_public_keys = ["${module.secrets.core_public_key_openssh}"] ign_coreos_metadata_dropin_id = "${module.ignition_masters.coreos_metadata_dropin_id}" + ign_etcd_crt_id_list = "${module.ignition_masters.etcd_crt_id_list}" ign_etcd_dropin_id_list = "${module.ignition_masters.etcd_dropin_id_list}" instance_count = "${var.tectonic_etcd_count}" self_hosted_etcd = "${var.tectonic_self_hosted_etcd}" - tls_ca_crt_pem = "${module.etcd_certs.etcd_ca_crt_pem}" - tls_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" - tls_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" tls_enabled = "${var.tectonic_etcd_tls_enabled}" - tls_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" - tls_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" - tls_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" - tls_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" } module "ignition_masters" { @@ -177,11 +171,21 @@ module "ignition_masters" { bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" cluster_name = "${var.tectonic_cluster_name}" container_images = "${var.tectonic_container_images}" + custom_ca_cert_pem_list = "${var.tectonic_custom_ca_pem_list}" etcd_advertise_name_list = "${data.template_file.etcd_hostname_list.*.rendered}" + etcd_ca_cert_pem = "${module.etcd_certs.etcd_ca_crt_pem}" + etcd_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" + etcd_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" etcd_count = "${var.tectonic_etcd_count}" etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}" + etcd_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" + etcd_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" + etcd_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" + etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" etcd_tls_enabled = "${var.tectonic_etcd_tls_enabled}" image_re = "${var.tectonic_image_re}" + ingress_ca_cert_pem = "${module.ingress_certs.ca_cert_pem}" + kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" @@ -199,36 +203,42 @@ search ${var.tectonic_base_domain} ${join("\n", formatlist("nameserver %s", var.tectonic_openstack_dns_nameservers))} EOF - cluster_name = "${var.tectonic_cluster_name}" - core_public_keys = ["${module.secrets.core_public_key_openssh}"] - hostname_infix = "master" - ign_bootkube_path_unit_id = "${module.bootkube.systemd_path_unit_id}" - ign_bootkube_service_id = "${module.bootkube.systemd_service_id}" - ign_docker_dropin_id = "${module.ignition_masters.docker_dropin_id}" - ign_installer_kubelet_env_id = "${module.ignition_masters.installer_kubelet_env_id}" - ign_installer_runtime_mappings_id = "${module.ignition_masters.installer_runtime_mappings_id}" - ign_k8s_node_bootstrap_service_id = "${module.ignition_masters.k8s_node_bootstrap_service_id}" - ign_kubelet_service_id = "${module.ignition_masters.kubelet_service_id}" - ign_locksmithd_service_id = "${module.ignition_masters.locksmithd_service_id}" - ign_max_user_watches_id = "${module.ignition_masters.max_user_watches_id}" - ign_tectonic_path_unit_id = "${var.tectonic_vanilla_k8s ? "" : module.tectonic.systemd_path_unit_id}" - ign_tectonic_service_id = "${module.tectonic.systemd_service_id}" - instance_count = "${var.tectonic_master_count}" - kubeconfig_content = "${module.bootkube.kubeconfig}" + cluster_name = "${var.tectonic_cluster_name}" + core_public_keys = ["${module.secrets.core_public_key_openssh}"] + hostname_infix = "master" + ign_bootkube_path_unit_id = "${module.bootkube.systemd_path_unit_id}" + ign_bootkube_service_id = "${module.bootkube.systemd_service_id}" + ign_ca_cert_id_list = "${module.ignition_masters.ca_cert_id_list}" + ign_docker_dropin_id = "${module.ignition_masters.docker_dropin_id}" + ign_installer_kubelet_env_id = "${module.ignition_masters.installer_kubelet_env_id}" + ign_installer_runtime_mappings_id = "${module.ignition_masters.installer_runtime_mappings_id}" + ign_k8s_node_bootstrap_service_id = "${module.ignition_masters.k8s_node_bootstrap_service_id}" + ign_kubelet_service_id = "${module.ignition_masters.kubelet_service_id}" + ign_locksmithd_service_id = "${module.ignition_masters.locksmithd_service_id}" + ign_max_user_watches_id = "${module.ignition_masters.max_user_watches_id}" + ign_tectonic_path_unit_id = "${var.tectonic_vanilla_k8s ? "" : module.tectonic.systemd_path_unit_id}" + ign_tectonic_service_id = "${module.tectonic.systemd_service_id}" + ign_update_ca_certificates_dropin_id = "${module.ignition_masters.update_ca_certificates_dropin_id}" + instance_count = "${var.tectonic_master_count}" + kubeconfig_content = "${module.bootkube.kubeconfig}" } module "ignition_workers" { source = "../../../modules/ignition" - bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" - container_images = "${var.tectonic_container_images}" - image_re = "${var.tectonic_image_re}" - kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" - kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" - kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" - kubelet_node_label = "node-role.kubernetes.io/node" - kubelet_node_taints = "" - tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" + bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" + container_images = "${var.tectonic_container_images}" + custom_ca_cert_pem_list = "${var.tectonic_custom_ca_pem_list}" + etcd_ca_cert_pem = "${module.etcd_certs.etcd_ca_crt_pem}" + image_re = "${var.tectonic_image_re}" + ingress_ca_cert_pem = "${module.ingress_certs.ca_cert_pem}" + kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" + kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" + kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" + kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" + kubelet_node_label = "node-role.kubernetes.io/node" + kubelet_node_taints = "" + tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" } module "worker_nodes" { @@ -239,18 +249,20 @@ search ${var.tectonic_base_domain} ${join("\n", formatlist("nameserver %s", var.tectonic_openstack_dns_nameservers))} EOF - cluster_name = "${var.tectonic_cluster_name}" - core_public_keys = ["${module.secrets.core_public_key_openssh}"] - hostname_infix = "worker" - ign_docker_dropin_id = "${module.ignition_workers.docker_dropin_id}" - ign_installer_kubelet_env_id = "${module.ignition_workers.installer_kubelet_env_id}" - ign_installer_runtime_mappings_id = "${module.ignition_workers.installer_runtime_mappings_id}" - ign_k8s_node_bootstrap_service_id = "${module.ignition_workers.k8s_node_bootstrap_service_id}" - ign_kubelet_service_id = "${module.ignition_workers.kubelet_service_id}" - ign_locksmithd_service_id = "${module.ignition_workers.locksmithd_service_id}" - ign_max_user_watches_id = "${module.ignition_workers.max_user_watches_id}" - instance_count = "${var.tectonic_worker_count}" - kubeconfig_content = "${module.bootkube.kubeconfig}" + cluster_name = "${var.tectonic_cluster_name}" + core_public_keys = ["${module.secrets.core_public_key_openssh}"] + hostname_infix = "worker" + ign_ca_cert_id_list = "${module.ignition_workers.ca_cert_id_list}" + ign_docker_dropin_id = "${module.ignition_workers.docker_dropin_id}" + ign_installer_kubelet_env_id = "${module.ignition_workers.installer_kubelet_env_id}" + ign_installer_runtime_mappings_id = "${module.ignition_workers.installer_runtime_mappings_id}" + ign_k8s_node_bootstrap_service_id = "${module.ignition_workers.k8s_node_bootstrap_service_id}" + ign_kubelet_service_id = "${module.ignition_workers.kubelet_service_id}" + ign_locksmithd_service_id = "${module.ignition_workers.locksmithd_service_id}" + ign_max_user_watches_id = "${module.ignition_workers.max_user_watches_id}" + ign_update_ca_certificates_dropin_id = "${module.ignition_workers.update_ca_certificates_dropin_id}" + instance_count = "${var.tectonic_worker_count}" + kubeconfig_content = "${module.bootkube.kubeconfig}" } module "secrets" { diff --git a/platforms/vmware/main.tf b/platforms/vmware/main.tf index 2c273e6aee8..d8788a2bb84 100644 --- a/platforms/vmware/main.tf +++ b/platforms/vmware/main.tf @@ -9,16 +9,10 @@ module "etcd" { external_endpoints = ["${compact(var.tectonic_etcd_servers)}"] gateways = "${var.tectonic_vmware_etcd_gateways}" hostname = "${var.tectonic_vmware_etcd_hostnames}" + ign_etcd_crt_id_list = "${module.ignition_masters.etcd_crt_id_list}" ign_etcd_dropin_id_list = "${module.ignition_masters.etcd_dropin_id_list}" instance_count = "${var.tectonic_self_hosted_etcd != "" ? 0 : var.tectonic_etcd_count }" ip_address = "${var.tectonic_vmware_etcd_ip}" - tls_ca_crt_pem = "${module.etcd_certs.etcd_ca_crt_pem}" - tls_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" - tls_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" - tls_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" - tls_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" - tls_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" - tls_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" vm_disk_datastore = "${var.tectonic_vmware_etcd_datastore}" vm_disk_template = "${var.tectonic_vmware_vm_template}" vm_disk_template_folder = "${var.tectonic_vmware_vm_template_folder}" @@ -43,9 +37,19 @@ module "ignition_masters" { bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" cluster_name = "${var.tectonic_cluster_name}" container_images = "${var.tectonic_container_images}" + custom_ca_cert_pem_list = "${var.tectonic_custom_ca_pem_list}" etcd_advertise_name_list = "${data.template_file.etcd_hostname_list.*.rendered}" + etcd_ca_cert_pem = "${module.etcd_certs.etcd_ca_crt_pem}" + etcd_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" + etcd_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" etcd_count = "${length(data.template_file.etcd_hostname_list.*.rendered)}" + etcd_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" + etcd_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" + etcd_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" + etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" image_re = "${var.tectonic_image_re}" + ingress_ca_cert_pem = "${module.ingress_certs.ca_cert_pem}" + kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" @@ -57,83 +61,91 @@ module "ignition_masters" { module "masters" { source = "../../modules/vmware/node" - base_domain = "${var.tectonic_base_domain}" - container_images = "${var.tectonic_container_images}" - core_public_keys = ["${var.tectonic_vmware_ssh_authorized_key}"] - dns_server = "${var.tectonic_vmware_node_dns}" - gateways = "${var.tectonic_vmware_master_gateways}" - hostname = "${var.tectonic_vmware_master_hostnames}" - ign_bootkube_path_unit_id = "${module.bootkube.systemd_path_unit_id}" - ign_bootkube_service_id = "${module.bootkube.systemd_service_id}" - ign_docker_dropin_id = "${module.ignition_masters.docker_dropin_id}" - ign_installer_kubelet_env_id = "${module.ignition_masters.installer_kubelet_env_id}" - ign_installer_runtime_mappings_id = "${module.ignition_masters.installer_runtime_mappings_id}" - ign_k8s_node_bootstrap_service_id = "${module.ignition_masters.k8s_node_bootstrap_service_id}" - ign_kubelet_service_id = "${module.ignition_masters.kubelet_service_id}" - ign_locksmithd_service_id = "${module.ignition_masters.locksmithd_service_id}" - ign_max_user_watches_id = "${module.ignition_masters.max_user_watches_id}" - ign_tectonic_path_unit_id = "${var.tectonic_vanilla_k8s ? "" : module.tectonic.systemd_path_unit_id}" - ign_tectonic_service_id = "${module.tectonic.systemd_service_id}" - image_re = "${var.tectonic_image_re}" - instance_count = "${var.tectonic_master_count}" - ip_address = "${var.tectonic_vmware_master_ip}" - kubeconfig = "${module.bootkube.kubeconfig}" - private_key = "${var.tectonic_vmware_ssh_private_key_path}" - vm_disk_datastore = "${var.tectonic_vmware_master_datastore}" - vm_disk_template = "${var.tectonic_vmware_vm_template}" - vm_disk_template_folder = "${var.tectonic_vmware_vm_template_folder}" - vm_memory = "${var.tectonic_vmware_master_memory}" - vm_network_labels = "${var.tectonic_vmware_master_networks}" - vm_vcpu = "${var.tectonic_vmware_master_vcpu}" - vmware_clusters = "${var.tectonic_vmware_master_clusters}" - vmware_datacenters = "${var.tectonic_vmware_master_datacenters}" - vmware_folder = "${vsphere_folder.tectonic_vsphere_folder.path}" - vmware_resource_pool = "${var.tectonic_vmware_master_resource_pool}" + base_domain = "${var.tectonic_base_domain}" + container_images = "${var.tectonic_container_images}" + core_public_keys = ["${var.tectonic_vmware_ssh_authorized_key}"] + dns_server = "${var.tectonic_vmware_node_dns}" + gateways = "${var.tectonic_vmware_master_gateways}" + hostname = "${var.tectonic_vmware_master_hostnames}" + ign_bootkube_path_unit_id = "${module.bootkube.systemd_path_unit_id}" + ign_bootkube_service_id = "${module.bootkube.systemd_service_id}" + ign_ca_cert_id_list = "${module.ignition_masters.ca_cert_id_list}" + ign_docker_dropin_id = "${module.ignition_masters.docker_dropin_id}" + ign_installer_kubelet_env_id = "${module.ignition_masters.installer_kubelet_env_id}" + ign_installer_runtime_mappings_id = "${module.ignition_masters.installer_runtime_mappings_id}" + ign_k8s_node_bootstrap_service_id = "${module.ignition_masters.k8s_node_bootstrap_service_id}" + ign_kubelet_service_id = "${module.ignition_masters.kubelet_service_id}" + ign_locksmithd_service_id = "${module.ignition_masters.locksmithd_service_id}" + ign_max_user_watches_id = "${module.ignition_masters.max_user_watches_id}" + ign_tectonic_path_unit_id = "${var.tectonic_vanilla_k8s ? "" : module.tectonic.systemd_path_unit_id}" + ign_tectonic_service_id = "${module.tectonic.systemd_service_id}" + ign_update_ca_certificates_dropin_id = "${module.ignition_masters.update_ca_certificates_dropin_id}" + image_re = "${var.tectonic_image_re}" + instance_count = "${var.tectonic_master_count}" + ip_address = "${var.tectonic_vmware_master_ip}" + kubeconfig = "${module.bootkube.kubeconfig}" + private_key = "${var.tectonic_vmware_ssh_private_key_path}" + vm_disk_datastore = "${var.tectonic_vmware_master_datastore}" + vm_disk_template = "${var.tectonic_vmware_vm_template}" + vm_disk_template_folder = "${var.tectonic_vmware_vm_template_folder}" + vm_memory = "${var.tectonic_vmware_master_memory}" + vm_network_labels = "${var.tectonic_vmware_master_networks}" + vm_vcpu = "${var.tectonic_vmware_master_vcpu}" + vmware_clusters = "${var.tectonic_vmware_master_clusters}" + vmware_datacenters = "${var.tectonic_vmware_master_datacenters}" + vmware_folder = "${vsphere_folder.tectonic_vsphere_folder.path}" + vmware_resource_pool = "${var.tectonic_vmware_master_resource_pool}" } module "ignition_workers" { source = "../../modules/ignition" - bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" - container_images = "${var.tectonic_container_images}" - image_re = "${var.tectonic_image_re}" - kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" - kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" - kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" - kubelet_node_label = "node-role.kubernetes.io/node" - kubelet_node_taints = "" - tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" + bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" + container_images = "${var.tectonic_container_images}" + custom_ca_cert_pem_list = "${var.tectonic_custom_ca_pem_list}" + etcd_ca_cert_pem = "${module.etcd_certs.etcd_ca_crt_pem}" + image_re = "${var.tectonic_image_re}" + ingress_ca_cert_pem = "${module.ingress_certs.ca_cert_pem}" + kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" + kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" + kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" + kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" + kubelet_node_label = "node-role.kubernetes.io/node" + kubelet_node_taints = "" + tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" } module "workers" { source = "../../modules/vmware/node" - base_domain = "${var.tectonic_base_domain}" - container_images = "${var.tectonic_container_images}" - core_public_keys = ["${var.tectonic_vmware_ssh_authorized_key}"] - dns_server = "${var.tectonic_vmware_node_dns}" - gateways = "${var.tectonic_vmware_worker_gateways}" - hostname = "${var.tectonic_vmware_worker_hostnames}" - ign_docker_dropin_id = "${module.ignition_workers.docker_dropin_id}" - ign_installer_kubelet_env_id = "${module.ignition_workers.installer_kubelet_env_id}" - ign_installer_runtime_mappings_id = "${module.ignition_workers.installer_runtime_mappings_id}" - ign_k8s_node_bootstrap_service_id = "${module.ignition_workers.k8s_node_bootstrap_service_id}" - ign_kubelet_service_id = "${module.ignition_workers.kubelet_service_id}" - ign_locksmithd_service_id = "${module.ignition_workers.locksmithd_service_id}" - ign_max_user_watches_id = "${module.ignition_workers.max_user_watches_id}" - image_re = "${var.tectonic_image_re}" - instance_count = "${var.tectonic_worker_count}" - ip_address = "${var.tectonic_vmware_worker_ip}" - kubeconfig = "${module.bootkube.kubeconfig}" - private_key = "${var.tectonic_vmware_ssh_private_key_path}" - vm_disk_datastore = "${var.tectonic_vmware_worker_datastore}" - vm_disk_template = "${var.tectonic_vmware_vm_template}" - vm_disk_template_folder = "${var.tectonic_vmware_vm_template_folder}" - vm_memory = "${var.tectonic_vmware_worker_memory}" - vm_network_labels = "${var.tectonic_vmware_worker_networks}" - vm_vcpu = "${var.tectonic_vmware_worker_vcpu}" - vmware_clusters = "${var.tectonic_vmware_worker_clusters}" - vmware_datacenters = "${var.tectonic_vmware_worker_datacenters}" - vmware_folder = "${vsphere_folder.tectonic_vsphere_folder.path}" - vmware_resource_pool = "${var.tectonic_vmware_worker_resource_pool}" + base_domain = "${var.tectonic_base_domain}" + container_images = "${var.tectonic_container_images}" + core_public_keys = ["${var.tectonic_vmware_ssh_authorized_key}"] + dns_server = "${var.tectonic_vmware_node_dns}" + gateways = "${var.tectonic_vmware_worker_gateways}" + hostname = "${var.tectonic_vmware_worker_hostnames}" + ign_ca_cert_id_list = "${module.ignition_workers.ca_cert_id_list}" + ign_docker_dropin_id = "${module.ignition_workers.docker_dropin_id}" + ign_installer_kubelet_env_id = "${module.ignition_workers.installer_kubelet_env_id}" + ign_installer_runtime_mappings_id = "${module.ignition_workers.installer_runtime_mappings_id}" + ign_k8s_node_bootstrap_service_id = "${module.ignition_workers.k8s_node_bootstrap_service_id}" + ign_kubelet_service_id = "${module.ignition_workers.kubelet_service_id}" + ign_locksmithd_service_id = "${module.ignition_workers.locksmithd_service_id}" + ign_max_user_watches_id = "${module.ignition_workers.max_user_watches_id}" + ign_update_ca_certificates_dropin_id = "${module.ignition_workers.update_ca_certificates_dropin_id}" + image_re = "${var.tectonic_image_re}" + instance_count = "${var.tectonic_worker_count}" + ip_address = "${var.tectonic_vmware_worker_ip}" + kubeconfig = "${module.bootkube.kubeconfig}" + private_key = "${var.tectonic_vmware_ssh_private_key_path}" + vm_disk_datastore = "${var.tectonic_vmware_worker_datastore}" + vm_disk_template = "${var.tectonic_vmware_vm_template}" + vm_disk_template_folder = "${var.tectonic_vmware_vm_template_folder}" + vm_memory = "${var.tectonic_vmware_worker_memory}" + vm_network_labels = "${var.tectonic_vmware_worker_networks}" + vm_vcpu = "${var.tectonic_vmware_worker_vcpu}" + vmware_clusters = "${var.tectonic_vmware_worker_clusters}" + vmware_datacenters = "${var.tectonic_vmware_worker_datacenters}" + vmware_folder = "${vsphere_folder.tectonic_vsphere_folder.path}" + vmware_resource_pool = "${var.tectonic_vmware_worker_resource_pool}" }